CVE-2026-46140

Summary

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: btmtk: validate WMT event SKB length before struct access

btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom.

Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf0457842215438786e2e205ad06a4fbb8ab63cd0 < 36c85f7029484d5ede769f8873d16e9c8e35533caffected
LinuxLinuxd019930b0049fc2648a6b279893d8ad330596e81 < c411cf1bfde951cfa821809cf4020ba177f76e0caffected
LinuxLinuxd019930b0049fc2648a6b279893d8ad330596e81 < 624fb79dadc1b65757986a9d0fdde5c0cf3fe179affected
LinuxLinuxd019930b0049fc2648a6b279893d8ad330596e81 < 70d37a8b9229e394cc17ddad47e90b81d80fcd09affected
LinuxLinuxd019930b0049fc2648a6b279893d8ad330596e81 < 634a4408c0615c523cf7531790f4f14a422b9206affected
LinuxLinux6.6.142 < 6.6.144affected
LinuxLinux6.11affected
LinuxLinux0 < 6.11unaffected
LinuxLinux6.6.144 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References